Ultimately it worked out fine. I indeed used the trick in point #3, then: - POST /2/users/get_current_account (with an auth token for the restricted user) then fetch root_info/root_namespace_id - from there, add the header: Dropbox-Api-Path-Root set to {".tag": "namespace_id", "namespace_id": the_root_namespace_id} - fetch using /2/files/list_folder (and continue version) This allows restricted access to a team-shared folder. Now a word of feedback: I really hope in the future it will be possible to avoid the creation of a specific user & restrictions, and instead have Dropbox provide an additional level of access (instead of Full Dropbox vs. User-Specific-Folder) to allow access to a restricted list of folders. In all cases, thanks for your help, which put me on good track! -- Thibaut
... View more

Hello Chuck, > When you say the app can only see it's own documents and not the company (team) shared folder for #3 do you mean, literally the listing does not contain ANY team folder content at all? As if it didn't exist? It's exactly that. It can see its own documents (currently "get started with dropbox pdf"), and nothing else. Thanks for your quick feedback, I'm diving into the namespacing documentation & playing around with the PAW API client, to see if I can figure out how to get what I need here. Will report back -- Thibaut
... View more

Hello, I have an accounting system for which we'd like to leverage our Dropbox Business subscription. What I need is a Dropbox folder, shared with specific members only, and a way to create a Dropbox API access which will be limited to edit that specific folder. In short, it would be an "App folder" but not restricted to a specific user. The limitation would be made to ensure calls from the accounting system could not reach other parts of the company Dropbox (this point agrees with the DBX platform developer guide recommendation that " Your app should use the least privileged permission it can"). We thought about multiple options, but none seems to answer that need. 1/ Using the Dropbox API with "App folder" permission If we create an app with that level of permission, and generate a token, a folder is created in the private part of the user Dropbox, but this App folder cannot be shared with other users, nor moved to a part where it would be shareable. It is completely locked inside the private folder of the user, which makes it useless for our use case. 2/ Using the Dropbox API with "Full access" The accounting system would have access not only to the folder we want to share, but also to every single document provided by Dropbox to our company. A single programming mistake or breach would be problematic - this does not address our need. 3/ Trick: using the Dropbox API via a dedicated user We tried creating a new "Bot" Dropbox user (attached to the company), then to use the Dropbox "groups" feature to forbid access to all folders except the one we want to share with that app. If we create an app, this time with "Full access" (which is restricted thanks to the groups above), a programmatic access via the token can only see its own documents, not the company shared folder apparently, so this again does not address the need. 4/ Using the Dropbox Business API file access If I understand correctly, a token created this way is able to impersonate any user, hence getting access to the whole Dropbox, so this does not address our need. So this leads me to the question: is there a way to have programmatic access, restricted (for obvious security reasons) to a single folder, which is shared by N users ? Many thanks, -- Thibaut
... View more